K8S基本操作-29-備份與還原叢集
備份的幾種方式
Velero
可以簡單佈署在 Docker 上的 K8S 備份工具,還有 Web GUI 。
操作簡單功能完整。
此種方式甚至可以把 Volume 一起打包。
(文章撰寫時)是開源免費的。
Kubectl 備份法
雖然可以備份許多 Pod, Deployment, Service,雖然無法備份完整的叢集設置與 Volume,但如果影響不大,這種方式仍然是十分方便的。
kubectl get all --all-namespaces -o yaml > all-deploy-services.yaml
只後再編輯all-deploy-services.yaml
直到可以順利 apply 即可。
ETCD 備份法
可以備份完整的叢集設置,但無法備份 Volume,但相對上述方式完整些,方法如下。
分析 ETCD 的配置
kubectl -n kube-system describe pod etcd-controlplane
結果類似下面:
Name: etcd-controlplane
Namespace: kube-system
Priority: 2000001000
Priority Class Name: system-node-critical
Node: controlplane/192.11.251.9
Start Time: Sun, 04 Feb 2024 02:43:44 -0500
Labels: component=etcd
tier=control-plane
Annotations: kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.11.251.9:2379
kubernetes.io/config.hash: 3b193098c2e7a87da2b294d778e9a27c
kubernetes.io/config.mirror: 3b193098c2e7a87da2b294d778e9a27c
kubernetes.io/config.seen: 2024-02-04T02:43:43.187940375-05:00
kubernetes.io/config.source: file
Status: Running
SeccompProfile: RuntimeDefault
IP: 192.11.251.9
IPs:
IP: 192.11.251.9
Controlled By: Node/controlplane
Containers:
etcd:
Container ID: containerd://f94656df8fd5a33e64029868aec83122508c7c8803519513095d4b7d34e55487
Image: registry.k8s.io/etcd:3.5.7-0
Image ID: registry.k8s.io/etcd@sha256:51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83
Port: <none>
Host Port: <none>
Command:
etcd
--advertise-client-urls=https://192.11.251.9:2379
--cert-file=/etc/kubernetes/pki/etcd/server.crt
--client-cert-auth=true
--data-dir=/var/lib/etcd
--experimental-initial-corrupt-check=true
--experimental-watch-progress-notify-interval=5s
--initial-advertise-peer-urls=https://192.11.251.9:2380
--initial-cluster=controlplane=https://192.11.251.9:2380
--key-file=/etc/kubernetes/pki/etcd/server.key
--listen-client-urls=https://127.0.0.1:2379,https://192.11.251.9:2379
--listen-metrics-urls=http://127.0.0.1:2381
--listen-peer-urls=https://192.11.251.9:2380
--name=controlplane
--peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
--peer-client-cert-auth=true
--peer-key-file=/etc/kubernetes/pki/etcd/peer.key
--peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--snapshot-count=10000
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
State: Running
Started: Sun, 04 Feb 2024 02:43:34 -0500
Ready: True
Restart Count: 0
Requests:
cpu: 100m
memory: 100Mi
Liveness: http-get http://127.0.0.1:2381/health%3Fexclude=NOSPACE&serializable=true delay=10s timeout=15s period=10s #success=1 #failure=8
Startup: http-get http://127.0.0.1:2381/health%3Fserializable=false delay=10s timeout=15s period=10s #success=1 #failure=24
Environment: <none>
Mounts:
/etc/kubernetes/pki/etcd from etcd-certs (rw)
/var/lib/etcd from etcd-data (rw)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
etcd-certs:
Type: HostPath (bare host directory volume)
Path: /etc/kubernetes/pki/etcd
HostPathType: DirectoryOrCreate
etcd-data:
Type: HostPath (bare host directory volume)
Path: /var/lib/etcd
HostPathType: DirectoryOrCreate
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: :NoExecute op=Exists
Events: <none>
這一段是ETCD執行時的配置:
Command:
etcd
--advertise-client-urls=https://192.11.251.9:2379
--cert-file=/etc/kubernetes/pki/etcd/server.crt
--client-cert-auth=true
--data-dir=/var/lib/etcd
--experimental-initial-corrupt-check=true
--experimental-watch-progress-notify-interval=5s
--initial-advertise-peer-urls=https://192.11.251.9:2380
--initial-cluster=controlplane=https://192.11.251.9:2380
--key-file=/etc/kubernetes/pki/etcd/server.key
--listen-client-urls=https://127.0.0.1:2379,https://192.11.251.9:2379
--listen-metrics-urls=http://127.0.0.1:2381
--listen-peer-urls=https://192.11.251.9:2380
--name=controlplane
--peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
--peer-client-cert-auth=true
--peer-key-file=/etc/kubernetes/pki/etcd/peer.key
--peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--snapshot-count=10000
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
備份:
ETCDCTL_API=3 etcdctl \
snapshot save snapshot.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key
為何要輸入 --endpoints
?
因為 etcdctl 這個指令不會直接去搜索本機 K8S ETCD 伺服器的配置,所以要指定 “運作在 127.0.0.1 上的 ETCD 伺服器是我們要進行備份的主機來源”,接著才能開始備份。
(但也因為如此,可以用於備份遠端的ETCD主機)
同時要順利接入 ETCD 主機,必須要提供憑證跟金鑰,才能有效接入。
檢查備份內容:
etcdctl snapshot status snapshot.db
結果:
+ + + + ++ + + + ++ + + + ++ + + + ++ + + + + + +
| HASH | REVISION | TOTAL KEYS | TOTAL SIZE |
+ + + + ++ + + + ++ + + + ++ + + + ++ + + + + + +
| e63b3fc5| 473353 | 875 | 4.1 MB |
+ + + + ++ + + + ++ + + + ++ + + + ++ + + + + + +
重新存回備份
接著在回復儲存的配置時,由於不能把儲存的資料重複放在原本的/var/lib/etcd
目錄裡頭,所以我們建立一個新的目錄,來裝置備份回覆後的etcd資料/var/lib/etcd-from-backup
。
回復儲存:
ETCDCTL_API=3 etcdctl \
snapshot restore snapshot.db \
--data-dir /var/lib/etcd-from-backup
由於 ETCD 屬於 Static pod 所以設定儲存在以下位置:
/etc/kubernetes/manifests/etcd.yaml
這時候將 etcd.yaml 進行修改
將以下這段:
volumes:
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
修改為:
volumes:
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
- hostPath:
path: /var/lib/etcd-from-backup
type: DirectoryOrCreate
name: etcd-data
如果謹慎點,可以把 /var/lib/etcd
都置換成 /var/lib/etcd-from-backup
。
然後完成更新的設置檔案的應用:
kubectl apply -f etcd.yaml
接著所有的 Deployment, Service, Pod 都回復到上次存檔點的狀態。